restoring wordpress site after hack

Question

My goal is for my site to have a clean bill of health when scanned on sophos. my domain is http://www.michaelalexis.com

last year I noticed "this site may be hacked" tag on google
used google webmaster tools and a scan from my hosting provider (dreamhost) to clear out a bunch of malicious code. there appeared to be two types: 1. "we are a group protesting against...", and 2. a bunch of japanese content that i think is spammy SEO product stuff?
that didnt work to clear up on google webmaster tools, so i deleted everything on domain and did fresh reinstall of wordpress, there are minimal plugins, most of which are by automattic
it worked! google webmaster tools clear
i signed up for campaign monitor for forms, and they blocked my access. they showed me this page as the reason: https://www.virustotal.com/en/url/83ea6e0588af14c5c71dc12bc3f9a2910df771b6315fa3d6a59688ad3ecfea52/analysis/1475631239/
sophos issue has been there for awhile, "cleanmx" is new and i dont know what that means
ive gone back and forth with dreamhost a couple of times -- they say by their scans the site is totally clean. google webmaster tools also no issue
however stuff like this still appears on google (my domain is michaelalexis.com: https://www.google.ca/search?q=michaelalexis.com%3A+%E3%82%BF%E3%82%AD%E3%83%AD%E3%83%B3+%E3%82%B0%E3%83%AA%E3%83%BC%E3%83%B3%E3%82%B9%E3%83%88%E3%83%A9%E3%83%83%E3%83%97+%E5%B5%A9%E4%B8%8A%E3%81%92+%E4%BD%95%E6%95%85&oq=michaelalexis.com%3A+%E3%82%BF%E3%82%AD%E3%83%AD%E3%83%B3+%E3%82%B0%E3%83%AA%E3%83%BC%E3%83%B3%E3%82%B9%E3%83%88%E3%83%A9%E3%83%83%E3%83%97+%E5%B5%A9%E4%B8%8A%E3%81%92+%E4%BD%95%E6%95%85&aqs=chrome..69i57.4984j0j7&sourceid=chrome&ie=UTF-8
i dont know how many of these japanese pages exist or if they even exist at all? i searched the database for some of the terms ive seen come up in analytics and nothing is found
when it was hacked last year, someone had created a new database user in my dreamhost panel AND changed it in wpconfig, when i did the fresh install i did a more secure password, etc. but it looks like it was replaced again. i switched back to user i created, and i changed my dreamhost webpanel password
it seems like the dreamhost webpanel password was likely the issue, but i have 10+ other domains on the account and none were affected this way

Question:

how do i remove all of the japanese content (and anything else hiding) do i do a fresh install of wordpress again? my goal is clean scans
what is the cleanmx issue about?

thank you

edit: I noticed that most of the japanese searches lead to pages on my site that dont exist. but those pages DID exist on my old site, writerviews.com, which now forwards to michaelalexis.com -- ive only found one exception where the page is actually part of mynewdomain.com/page-on-old-domain/

more examples of the japanese searches:

https://www.google.ca/search?q=michaelalexis.com%3A+%E9%89%84%E6%9D%BF%E6%95%B7%E3%81%8D%E3%81%AE%E4%B8%8A%E3%81%AB%E6%BB%91%E3%82%8A%E6%AD%A2%E3%82%81%E3%82%B4%E3%83%A0%E3%83%9E%E3%83%83%E3%83%88%E3%81%AE%E5%9B%BA%E5%AE%9A%E6%96%B9%E6%B3%95%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6&oq=michaelalexis.com%3A+%E9%89%84%E6%9D%BF%E6%95%B7%E3%81%8D%E3%81%AE%E4%B8%8A%E3%81%AB%E6%BB%91%E3%82%8A%E6%AD%A2%E3%82%81%E3%82%B4%E3%83%A0%E3%83%9E%E3%83%83%E3%83%88%E3%81%AE%E5%9B%BA%E5%AE%9A%E6%96%B9%E6%B3%95%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6&aqs=chrome..69i57.4185j0j7&sourceid=chrome&ie=UTF-8

https://www.google.ca/search?q=michaelalexis.com%3A+%E3%82%AD%E3%83%A5%E3%83%AA%E3%82%AA%E3%82%B1%E3%83%BC%E3%82%B9+%E3%82%AC%E3%83%A9%E3%82%B9&oq=michaelalexis.com%3A+%E3%82%AD%E3%83%A5%E3%83%AA%E3%82%AA%E3%82%B1%E3%83%BC%E3%82%B9+%E3%82%AC%E3%83%A9%E3%82%B9&gs_l=serp.3...2915.6780.0.7000.23.19.2.0.0.0.285.1986.6j9j1.16.0....0...1c.1.64.serp..14.1.172...30i10k1.qovbDzO51Gw

edit 2: campaign monitor said this was the issue: https://www.sophos.com/en-us//threat-center/threat-analyses/viruses-and-spyware/JS~RefC-Gen.aspx

restoring wordpress site after hack

Answers (1)

Related Questions